Who receives Synchroization Errors by Email from The Azure Active Directory Team? This would be the Techincal Contact in the Azure AD Tenant. The other day I came across two emails telling us it was unable to update certain objects, because the values allready existed in Azure AD, synchronized from a different object i AD.
This is pretty common to Proxyaddresses, because AD allows multiple objects to have the same values, but Azure AD doesn’t. Especially UPN, SMTP, SIP and other references we use to communicate and collaborate with.
I have synchronized alot of AD to Azure DA, and enabling that feature doesn’t take long time. But if you haven’t control over your AD Objects, it can become time consuming to fix synchronization errors. So be sure to be in control of your creation, editing and deletion of objects within your AD.
And most times we see these synchronization errors within the Azure AD Connect console, but for the two errors received only by email, I couldn’t find any errors in Azure AD Connect. Or any duplicates in my local AD. I used ADUC with a Custom Search to look for the different addresses:
I found no duplicated SMTP Addresses and the UPN mentioned didn’t even exist in AD anymore. Could be some objects created and deleted, but the synchronization error emails kept on coming.
So why would the technical contact keep getting these synchronization error emails? As seen here it is because of duplicate UPN and Proxyaddresses/SMTP:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [UserPrincipalName username@contoso.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@contoso.com,smtp:username@contoso.mail.onmicrosoft.com;Mail username@contoso.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
So now that the local AD is healthy, I moved on to Azure AD and couldn’t find the UPN their either. But the mentioned SMTP addresses was found, and I added another SMTP address, which got synchronized to Azure AD without any challenges at all.
At this point my head was out of ideas, and I turned to the Office 365 Support Team in order to understand why these emails kept coming. Couple of hours later I was contacted by a Support Engineer, did all the checks I had done before, and after a couple times on hold we did a wider search in Azure AD including the Azure AD Recyclebin.
And how about that, the duplicated UPN that didn’t exist in my AD or under Active Users in Azure AD, was found not one, but three times in the Azure AD Recyclebin. And the duplicated SMTP address was also found in the Recyclebin, along with the Active User. This we did by storing every User, Group, Contact and Deleted Users, merged them together and search for any attribute with the value of username@contoso.com.
$a = get-msoluser -all $b = get-msoluser -all -returndeletedusers $c = get-msolgroup -all $d = get-msolcontact -all $all = $a+$b+$c+$d $search = "username@contoso.com" $all | ?{$_.emailaddresses -match $search -or $_.emailaddress -match $search -or $_.userprincipalname -eq $search -or $_.proxyaddresses -match $search}
This allowed us to see there were multiple objects with these mentioned duplicate values, and even though they didn’t do any harm to our users, it was kind of annoying to get these error emails every day. So we could have just deleted all User Objects from the Recyclebin:
Get-MsolUser -ReturnDeletedUsers -All | Remove-MsolUser -RemoveFromRecycleBin –Force
But I didn’t want to delete them all, only those that kept the Azure AD Team sending us these duplicate error emails. If they where uniqe I could have used the normal command to target a UserPrincipalName:
Get-MsolUser -UserPrincipalName username@contoso.com -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
But I had three deleted users with duplicate UPN, so that only created a red error PowerShell telling me it couldn’t decide which user with that UPN to delete. So what would be uniqe to each user even if they had the same UPN? ObjectID, and just used a short format-list to find UPN and Object IDs:
Get-MsolUser -ReturnDeletedUsers -All | Format-List UserPrincipalName,ObjectID
But just to make it a little more under control, I did a output to a txt file, letting me delete the records I than had deleted from the Recyclebin to keep track of my progress.
Get-MsolUser -ReturnDeletedUsers -All | Format-List UserPrincipalName,ObjectID | Out-File mylist.txt
Go through you txt file, and found the Users responsible for this uneccessary error emails. At the best it could let me know someone was struggling with User creation within my organization. So to finish this up, return your deleted user by ObjectID and Delete it from DeletedUsers:
Get-MsolUser -ObjectId cf71c04e-a11f-4ec7-8ab2-57b44464ef0a -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
I hope this might keep someone from banging their head into the wall 🙂
Leave a Reply
You must be logged in to post a comment.